diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb index 70acc12e4..6476a3797 100644 --- a/app/controllers/api/v1/base_controller.rb +++ b/app/controllers/api/v1/base_controller.rb @@ -152,15 +152,15 @@ module Api def load_inventory(key = :inventory_id) @inventory = @team.repositories.find(params.require(key)) + raise PermissionError.new(Repository, :read) unless can_read_repository?(@inventory) end def load_inventory_column(key = :column_id) - @inventory_column = @inventory.repository_columns - .find(params.require(key)) + @inventory_column = @inventory.repository_columns.find(params.require(key)) end def load_inventory_item(key = :item_id) - @inventory_item = @inventory.repository_rows.find(params[key].to_i) + @inventory_item = @inventory.repository_rows.find(params[key]) end def load_project(key = :project_id) @@ -175,6 +175,7 @@ module Api def load_task(key = :task_id) @task = @experiment.my_modules.find(params.require(key)) + raise PermissionError.new(MyModule, :read) unless can_read_protocol_in_module?(@task.protocol) end def load_protocol(key = :protocol_id) diff --git a/app/controllers/api/v1/workflow_statuses_controller.rb b/app/controllers/api/v1/workflow_statuses_controller.rb index 6114d0c25..8fa996c1f 100644 --- a/app/controllers/api/v1/workflow_statuses_controller.rb +++ b/app/controllers/api/v1/workflow_statuses_controller.rb @@ -3,9 +3,7 @@ module Api module V1 class WorkflowStatusesController < BaseController - before_action only: :index do - load_workflow(:workflow_id) - end + before_action :load_workflow def index statuses = @workflow.my_module_statuses diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index ca74d7de4..6472cd3d4 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -313,11 +313,12 @@ class MyModulesController < ApplicationController end def check_view_permissions - render_403 unless can_read_experiment?(@my_module.experiment) + render_403 unless can_read_protocol_in_module?(@my_module.protocol) end def check_update_state_permissions return render_403 unless can_change_my_module_flow_status?(@my_module) + render_404 unless @my_module.my_module_status end diff --git a/app/permissions/my_module.rb b/app/permissions/my_module.rb index a83fe4495..3419be5ef 100644 --- a/app/permissions/my_module.rb +++ b/app/permissions/my_module.rb @@ -1,13 +1,16 @@ +# frozen_string_literal: true + Canaid::Permissions.register_for(MyModule) do # Module, its experiment and its project must be active for all the specified # permissions %i(manage_module + archive_module manage_users_in_module assign_repository_rows_to_module - assign_sample_to_module create_comments_in_module create_my_module_repository_snapshot - manage_my_module_repository_snapshots) + manage_my_module_repository_snapshots + change_my_module_flow_status) .each do |perm| can perm do |_, my_module| my_module.active? && @@ -52,12 +55,6 @@ Canaid::Permissions.register_for(MyModule) do user.is_technician_or_higher_of_project?(my_module.experiment.project) end - # module: assign/unassign sample - # NOTE: Use 'module_page? &&' before calling this permission! - can :assign_sample_to_module do |user, my_module| - user.is_technician_or_higher_of_project?(my_module.experiment.project) - end - # module: change_flow_status can :change_my_module_flow_status do |user, my_module| user.is_technician_or_higher_of_project?(my_module.experiment.project) diff --git a/spec/requests/api/v1/workflow_statuses_controller_spec.rb b/spec/requests/api/v1/workflow_statuses_controller_spec.rb index 8bf8e2a9c..4810cf508 100644 --- a/spec/requests/api/v1/workflow_statuses_controller_spec.rb +++ b/spec/requests/api/v1/workflow_statuses_controller_spec.rb @@ -2,7 +2,7 @@ require 'rails_helper' -RSpec.describe 'Api::V1::WrokflowsController', type: :request do +RSpec.describe 'Api::V1::WrokflowStatusesController', type: :request do before :all do @user = create(:user) @teams = create_list(:team, 2, created_by: @user)